[SOLVED] OVPN 2.2.0 + Mikrotiks + Windows Clients

[spc]

Hi there,


I have installed OpenVpn Server (2.2.0) in linux (centos 5.6) with a few Mikrotik Routers for hotspot authentication under vpn, the Mikrotiks are working with a few disconnects every hour but the windows clients could not connect.

Linux Server - Mikrotik Clients/ Windows Clients

server.conf

port 23
mode server
server 172.16.100.0 255.255.255.0

proto tcp-server
dev tun
tls-server

ca keys/XXX/ca.crt
cert keys/XXX/XXX.crt
key keys/XXX/XXX.key
dh keys/XXX/dh2048.pem

crl-verify keys/XXX/crl.pem
ifconfig-pool-persist ipp.txt
cipher BF-CBC
max-clients 50
keepalive 10 120
client-config-dir /etc/openvpn/servers/XXX/ccd
#comp-lzo
user nobody
group adm
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
ccd-exclusive
verb 3

#comp-lzo and UDP are disabled because mikrotik routers does not support

I have set a static IP for each Mikrotik Router and windows client in the ccd File (ipp.txt did not set the correct ip address)

ccd file for Mikrotik1

#ifconfig-push clientIP serverIP
ifconfig-push 172.16.100.10 172.16.100.1

ccd file for windowsclient1

ifconfig-push 172.16.100.9 255.255.255.0

Windows clients could not connet, i get this error in the log file.

[X@X openvpn]# tail -f openvpn.log
Mon Oct 24 19:38:38 2011 xx.240.218.xx:57042 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 24 19:38:38 2011 xx.240.218.xx:57042 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Oct 24 19:38:38 2011 xx.240.2x.xx:57042 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 24 19:38:38 2011 xx.240.218.xx:57042 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Oct 24 19:38:38 2011 xx.240.218.xx:57042 [mikrotik1] Peer Connection Initiated with xx.240.218.xx:57042
Mon Oct 24 19:38:38 2011 mikrotik1/xx.240.218.xx:57042 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/servers/XXXXX/ccd/mikrotik1
Mon Oct 24 19:38:38 2011 mikrotik1/xx.240.218.xx:57042 MULTI: Learn: 172.16.100.10 -> mikrotik1/xx.240.218.xx:57042
Mon Oct 24 19:38:38 2011 mikrotik1/xx.240.218.xx:57042 MULTI: primary virtual IP for mikrotik1/xx.240.218.xx:57042: 172.16.100.10
Mon Oct 24 19:38:38 2011 mikrotik1/xx.240.218.xx:57042 PUSH: Received control message: 'PUSH_REQUEST'
Mon Oct 24 19:38:38 2011 mikrotik1/xx.240.218.xx:57042 SENT CONTROL [mikrotik1]: 'PUSH_REPLY,route 172.16.100.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.100.10 172.16.100.1' (status=1)
Mon Oct 24 19:39:45 2011 MULTI: multi_create_instance called
Mon Oct 24 19:39:45 2011 Re-using SSL/TLS context
Mon Oct 24 19:39:45 2011 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Oct 24 19:39:45 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Mon Oct 24 19:39:45 2011 Local Options hash (VER=V4): '7e068940'
Mon Oct 24 19:39:45 2011 Expected Remote Options hash (VER=V4): 'db02a8f8'
Mon Oct 24 19:39:45 2011 TCP connection established with xx.240.218.xx:57060
Mon Oct 24 19:39:45 2011 TCPv4_SERVER link local: [undef]
Mon Oct 24 19:39:45 2011 TCPv4_SERVER link remote: xx.240.218.xx:57060
Mon Oct 24 19:39:45 2011 xx.240.218.xx:57060 TLS: Initial packet from xx.240.218.xx:57060, sid=ea142558 cbfd8ff3
Mon Oct 24 19:39:49 2011 xx.240.218.xx:57060 CRL CHECK OK: /C=xx/ST=xxx/L=xxx/O=xxx.xx/emailAddress=xx@xxx.xxx
Mon Oct 24 19:39:49 2011 xx.240.218.xx:57060 VERIFY OK: depth=1, /C=xx/ST=xxx/L=xxx/O=xxx.xx/emailAddress=xx@xxx.xxx
Mon Oct 24 19:39:49 2011 xx.240.218.xx:57060 CRL CHECK OK: /C=xx/ST=xxx/L=xxx/O=xxx.xx/emailAddress=windowsclient@xxx.xxx
Mon Oct 24 19:39:49 2011 xx.240.218.xx:57060 VERIFY OK: depth=0, /C=xxx/ST=xx/L=xxx/O=xxx.xx/OU=Office/CN=windowsclient1/emailAddress=windowsclient@xxx.xxx
Mon Oct 24 19:39:50 2011 xx.240.218.xx:57060 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Oct 24 19:39:50 2011 xx.240.218.xx:57060 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 24 19:39:50 2011 xx.240.218.xx:57060 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Oct 24 19:39:50 2011 xx.240.218.xx:57060 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 24 19:39:50 2011 xx.240.218.xx:57060 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Oct 24 19:39:50 2011 xx.240.218.xx:57060 [windowsclient1] Peer Connection Initiated with xx.240.218.xx:57060
Mon Oct 24 19:39:50 2011 windowsclient1/xx.240.218.xx:57060 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/servers/XXXX/ccd/windowsclient1
Mon Oct 24 19:39:50 2011 windowsclient1/xx.240.218.xx:57060 MULTI: Learn: 172.16.100.9 -> windowsclient1/xx.240.218.xx:57060
Mon Oct 24 19:39:50 2011 windowsclient1/xx.240.218.xx:57060 MULTI: primary virtual IP for windowsclient1/xx.240.218.xx:57060: 172.16.100.9
Mon Oct 24 19:39:52 2011 windowsclient1/xx.240.218.xx:57060 PUSH: Received control message: 'PUSH_REQUEST'
Mon Oct 24 19:39:52 2011 windowsclient1/xx.240.218.xx:57060 SENT CONTROL [windowsclient1]: 'PUSH_REPLY,route 172.16.100.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.100.9 255.255.255.0' (status=1)
Mon Oct 24 19:39:53 2011 windowsclient1/xx.240.218.xx:57060 Connection reset, restarting [-1]
Mon Oct 24 19:39:53 2011 windowsclient1/xx.240.218.xx:57060 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mon Oct 24 19:39:53 2011 TCP/UDP: Closing socket

Windowsclient1 stucked at "getting configuration"

windowsclient1 config file

client
proto tcp-client
dev tun
ca ca.crt
dh dh2048.pem
cert windowsclient1.crt
key windowsclient1.key
remote server.xx.xx 23
cipher BF-CBC
verb 2
mute 20
keepalive 10 120
persist-key
persist-tun
float
resolv-retry infinite
nobind

Config files were generated by webmin module for openvpn +CA

Any help ?

Thanks

[spc]

I can connect with windows client if i do not use the push ipaddress in ccd files for my certificate. But i cannot set a static IP address it gets one from some dhcp (172.16.100.6 ?? )

[Mimiko]

It's because you've got something wrong. Please read FAQ, manual and how-to to find better answers and configurations.

UDP are disabled because mikrotik routers does not support

How come this? Mikrotik is linux based, so virtually anything that linux can support, microtik can support too. May be it's minimalistic linux does not include support for UDP, which I think you can add.

ccd file for Mikrotik1
#ifconfig-push clientIP serverIP
ifconfig-push 172.16.100.10 172.16.100.1

ccd file for windowsclient1
ifconfig-push 172.16.100.9 255.255.255.0

Why you are using different format for the clients? For windows you must use serverIP, not mask.

mode server
server 172.16.100.0 255.255.255.0
tls-server

If you are using "server"option, the "mode server" and "tls-server" is not needed. See the manual for "server" option.
When specifying "server 172.16.100.0 255.255.255.0" you tell the server to create a PtP for each client, so you can't use in ccd file for Mikrotik1 the serverIP as the 172.16.100.1. Please read this post for a clearance post16667.html#p16667.

[spc]

Hi,

Thanks for the help Mimiko, i have read a few more documentation and some things are more easy to understand now.


I have folowed a few users and changed a bit my config file.

I need to set static ip addresses to my Mikrotik Routers and windowsclient1(me for administration)

port 23
proto tcp
dev tun

ca keys/XXX/ca.crt
cert keys/XXX/xxx-radius-main.crt
key keys/XXXt/xxx-radius-main.key
dh keys/XXX/dh2048.pem

server 172.16.100.0 255.255.255.0

client-config-dir /etc/openvpn/servers/XXX/ccd
ccd-exclusive

client-to-client

persist-key
persist-tun

crl-verify keys/XXX/crl.pem

#ifconfig-pool-persist ipp.txt
cipher BF-CBC


keepalive 10 120

user nobody
group adm

status openvpn-status.log
log-append openvpn.log
verb 3

I will only use the ifconfig-push to set up statics ip addresses to Mikrotiks(172.16.100.10to20) because i can set the Mikrotik Static IP and the server Static ip(172.16.100.1)

the ccd file for each mikrotik is working with the correct ip addresses and i also can ping the server from mikrotiks.

ifconfig-push 172.16.100.x 172.16.100.1

In the ccd for windowsclient 1 now i have

ifconfig-push 172.16.100.5 172.16.100.1

but i cannot connect to server. If i comment out the #ifconfig-push i can establish the connection but i cannot set the correct server ip address and windowsclient1 ip address.

do i need to change something in the ifconfig-push for windows clients ?


Thanks

[Mimiko]

If you whant to push those IP without reading that post, then insert into server's config "topology subnet".

[janjust]

the format of the CCD ifconfig-push parameter is badly documented. Either use 'topology subnet' or change the ifconfig-push statements to

Code: Select all

ifconfig-push 172.16.100.6 172.16.100.5

the general format for the Nth client is

ifconfig-push 172.16.100.(4*N+2) 172.16.100.(4*N+1)

so the FIRST IP is always higher than the second.

[spc]

Thanks janjust and mimiko,

I probably not explained myself well.

I did understand the topology net30 and the topology subnet, i know that i can set a static ip in ipp.txt and i know how to do it, but for all my mikrotik hotspots routers i need to have the same server ip 172.16.100.1 and mikrotiks static ip because the vpns cannot change ips addresses otherwise my radius server will not identify them correctly and authenticate.

Now i have a ccd file for each mikrotik router with 172.16.100.10to200 with the server ip 172.16.100.1 and they are working almost very well.

For the windows1 client, (managment proposes) i did not set any config in ccd file and i can ping the server and every mikrotik router.


I am using openvpn 2.2.0 with webmin, and its very nice and easy now to manage and add clients.

For all those that cannot see the Active Connections users in webmin you just need to add this line to your vpn configuration file "management localhost 7505" and voilá !!



Thanks for pointing me to the corrects sites to learn.

[janjust]

Problem solved, closing topic